Home > Policies and Procedures > Data Protection Policy and Impact Assessment

Data Protection Policy and Impact Assessment

Dennington Parish Council

This policy describes how the Parish Council and its Officers comply with the requirements of the General Data Protection Regulation 2018 (GDPR).

Definitions

‘Personal data’ is data relating to a living person that can be identified from that data.

‘Sensitive data” is data relating to
race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.

‘Processing data’ means any operation performed on that personal data such as collection, recording, use, etc.

Roles & responsibilities

All councillors, officers and employees shall ensure that personal data is:-

PROCESSED FAIRLY AND LAWFULLY - This means that information should only be collected from individuals if staff and Councillors have been open and honest about why they want the information.

PROCESSED FOR SPECIFIED PURPOSES ONLY.

RELEVANT TO WHAT IT IS NEEDED FOR - Data will be monitored so that too much or too little is not kept; only data that is needed should be held.

ACCURATE AND KEPT UP TO DATE - Personal data should be accurate, if it is not it should be corrected.

NOT KEPT LONGER THAN IT IS NEEDED.

PROCESSED IN ACCORDANCE WITH THE RIGHTS OF INDIVIDUALS - This means that individuals must be informed, upon request, of all the information held about them.

IS KEPT SECURELY - This means that only staff and Councillors can access the data, it should be stored securely so it cannot be accessed by unauthorised persons.

Type and basis of data that is processed

The Parish Council processes personal data solely for the purpose of conducting public tasks associated with the statutory duties of the Parish Council. This data typically includes names, addresses, telephone numbers and e-mail addresses associated with correspondence, Trustees of the various village charities, and employees of the Council.

The council collects sensitive data about Councillors as part of the annual declaration of interests that is required by law. This information is shared with East Suffolk District Council to compile the Register of Interests. This register is a public record and is available for examination at the district council offices.

The Parish Council also holds a copy of the Electoral Roll. Although the Electoral Roll is a public record, our copy of the Electoral Roll shall not be shared with any other persons or organisations. Suffolk Coastal District Council is responsible for the compilation and maintenance of the Electoral Roll.

The council does not process data relating to children or criminal offences or convictions.

When designing surveys (e.g. Neighbourhood Plan), it is important to ensure that the questions and data collected do not include sensitive data. Survey responses should be anonymous. However, given the small size of the village, it may still be possible to identify a living person from the anonymous data. In such cases, this data shall be protected as personal data.

How the parish council uses personal data

The councillors and clerk shall only use personal data for the purpose that it is has been given. Personal data shall not be given to third parties, without the consent of the person that the data relates to. Personal data will never be sold or used for political purposes.

Once data has been used for the purpose that it has been given, or is not needed any more it shall be securely destroyed (e.g. by shredding or secure deletion).

Personal data held by the council will be reviewed periodically to ensure that too much or too little is not kept; and only data that is needed is held.

How the parish council protects personal data

The parish council will not store any data on ‘cloud’ services or remote servers. Electronic personal data storage shall be encrypted, password-protected and protected by up-to-date anti-virus/anti-malware software.

Prior to disposal of redundant electronic storage media, the storage media shall be physically destroyed to prevent unauthorised data recovery.
Wherever possible, the council will use data already available in the public domain (e.g. reviewing planning applications on the Planning Portal) to avoid creating additional personal data.

Where possible, members of public will not be identified in Minutes, unless they request that they would like to be named.

Paper records will kept in a locked cabinet in the Clerk’s office when not in use.

As of May 2018 legislation stated that Parish Councils are not required to appoint a Data Protection Officer. Dennington Parish Council has therefore not appointed a DPO.
Any unauthorised access, loss or suspected loss of personal data shall be reported immediately to the Clerk and Chair of the Council. The Chair shall notify the Information Commissioners’ Office (ICO) within 72 hours of becoming aware of the personal data breach and initiate an investigation.

Rights of individuals

Individuals have the right to access their personal data, to withdraw their consent for personal data to be processed, to have inaccurate data corrected and to request the deletion of personal data.

Applications may be made to the Parish Clerk. A copy of the information shall be provided free of charge and within one month of the request being made. In addition to the data, the reasons that the personal data is processed and who has accessed the data must also be provided. Any corrections or deletions shall be made within one month.

In the event of manifestly unfounded or excessive request, particularly if it is repetitive, a reasonable fee based on the administrative cost of providing the information will be charged. Alternatively the council may refuse unfounded, excessive or repetitive requests and will write to the individual confirming the reason for refusal within one month.

Further Information

More detailed information is available at www.ico.org.uk

Signed: M. Lunn

Chairman

27th July 2020